A business that holds, utilizes or maintains electronic personal information is not only legally required to protect that sensitive information, but is exposed to costly liability for any failure to do so.

Effective November 2, 2018, however, Ohio business and nonprofit entities will have an additional tool to help them mitigate some of that liability. Pursuant to a new law, businesses that access, maintain, communicate or handle electronic personal or restricted information will have an affirmative defense to a civil action resulting from a data breach if the entity is accused of failing to implement reasonable security controls to prevent the breach.

To prove the affirmative defense, the entity must either:

Create, maintain, and comply with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of personal information, that meets the design, scale and scope requirements and that reasonably conforms to an industry recognized cybersecurity framework listed in Section 1354.03 of the Revised Code; or

Create, maintain, and comply with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of both personal information and restricted information that meets the design, scale and scope requirements and that reasonably conforms to an industry recognized cybersecurity framework listed in Section 1354.03 of the Revised Code.

The cybersecurity program must be designed to do all of the following with respect to the information meant to be protected:

Protect the security and confidentiality of the information.

Protect against any anticipated threats or hazards to the security or integrity of the information.

Protect against unauthorized access to and acquisition of the information that is likely to result in a material risk of identity theft or other fraud to the individual to whom the information relates.

For certain restricted information, other security protocols may apply, such as: the security requirements of the Health Insurance Portability and Accountability Act of 1996; Title V of the Gramm-Leach-Biley Act of 1999; the Federal Information Security Modernization Act of 2014; or the Health Information Technology for Economic and Clinical Health Act.